About
Dennis Fisher is a journalist with more than 13 years of experience covering information security.
In this video from Dojosec, Matthew Watchinski from Sourcefire’s Vulnerability Research Team reveals the timeline, from discovery to sale to exploitation to disclosure to patch, of the Adobe JBIG PDF flaw.
In case you’ve missed it, there’s been a lot of talking in Washington lately about the need for major changes to the way that information security is handled in the federal government as well as the private sector. So far that talk hasn’t led to much in the way of action, but that may be on the horizon, as lawmakers and members of the Obama administration continue to look at the problems facing the country’s critical infrastructure. A Senate hearing on Tuesday laid out, again, how critical the problem is and what experts believe should be done to fix it.
The swine flu outbreak has inspired a flood of comparisons and false analogies to Conficker and other worms, most of which miss the many key differences between the Internet infrastructure and the human population. But there are lessons that security personnel can learn from the ways that health organizatons respond to and handle epidemics.
The cooperative effort of ISPs, security vendors, volunteer groups and other interested parties has helped develop a quick and efficient method for taking down phishing sites, usually within hours or days of their appearance. However, many phishing sites that have been up for a week or more still send out quite a lot of spam and also draw in new phishing victims, according to a new paper by researchers at the University of Cambridge.
A bill set to be introduced in the Senate on Tuesday would make wholesale changes to the way that the federal government handles information security, including the establishment of a Nation Officer for Cyberspace, which would sit right below the president. According to a story on SearchCompliance.com, the bill, known as the Information and Communications Enhancement Act, also contemplates an overhaul of the controversial FISMA legislation.
From SearchSecurity.com (Robert Westervelt)
The debate around cloud security is quickly beginning to mirror the one that has followed virtualization security for the last few years. What begins as a philosophical discussion usually devolves into arguments about technology or vendor roles. In a panel at the RSA Conference, several experts waded back into the virtualzation security waters, with the expected fireworks.
In this Google Tech Talk, Nick Feamster, an assistant professor at Georgia Tech, dives into the murky world of phishing and online scams as they relate to the epidemic of spam.
Much of the talk at the RSA Conference last week centered on the lack of the unifying theme or big-time story that usually emerges to take over the show by mid-week. But there was, in fact, a major story, and it was the abject failure of the Obama administration, in the person of Melissa Hathaway, to deliver any concrete details on its plans to drag the country’s information security infrastructure out of the quagmire it’s been in for nearly a decade.
The interdependencies and interconnections of the networks that run the country’s critical infrastructure assets such as water, power and gas have created a dangerously fragile system in which security is just now becoming a priority, experts say. For years the priorities for these networks have been safety, compliance and reliability, while security has only become a factor very recently, a panel of security officers from telecom and utility operators said at the RSA Conference on Thursday.
Attackers are becoming more and more organized and efficient in their information-stealing efforts and are using tactics gleaned from security professionals to get better at what they do. In a panel discussion at the RSA Conference, Joe Stewart of SecureWorks said the the trend toward organized, professional groups of attackers is moving to another level now.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
